Temporal search: detecting hidden malware timebombs with virtual machines

ASPLOS XII Pub Date : 2006-10-23 DOI:10.1145/1168857.1168862

Jedidiah R. Crandall, Gary Wassermann, Daniela Oliveira, Z. Su, S. F. Wu, F. Chong

{"title":"Temporal search: detecting hidden malware timebombs with virtual machines","authors":"Jedidiah R. Crandall, Gary Wassermann, Daniela Oliveira, Z. Su, S. F. Wu, F. Chong","doi":"10.1145/1168857.1168862","DOIUrl":null,"url":null,"abstract":"Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.","PeriodicalId":270694,"journal":{"name":"ASPLOS XII","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-10-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"80","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ASPLOS XII","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1168857.1168862","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 80

Abstract

Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.

查看原文本刊更多论文

时间搜索:检测隐藏的恶意软件定时炸弹与虚拟机

蠕虫、病毒和其他恶意软件可能是倒计时的定时炸弹，例如，当它们从公共网络服务器上删除文件或下载新的指令时。我们提出了一种新的基于虚拟机的分析技术来自动发现一个恶意软件的时间表，或者事件何时被触发，以便其他类型的分析可以辨别这些事件是什么。这些信息对于快速响应恶意软件是非常宝贵的，自动化发现恶意软件可以提供更准确的信息，比仔细的人工分析延迟更少。开发一个自动生成恶意软件时间表的系统是一个具有挑战性的研究问题。在本文中，我们描述了这样一个系统的一个关键组件的实现:在不假设受感染系统内核完整性的情况下发现计时器。我们的技术以稍微不同的感知时间(虚拟机看到的时间)速率运行虚拟机，并通过将内存写入频率与计时器中断频率相关联来识别时间计数器。我们还分析了真实的恶意软件，以评估在这些计时器上使用全系统、机器级符号执行来发现谓词的可行性。由于公历的复杂性(闰年，每个月的天数不同等)，这些谓词将不是计时器上的直接表达式，而是带注释的跟踪;因此，我们将时间表的计算形式化为最弱前提计算。我们对六个真实蠕虫的分析揭示了未来工作的两个挑战:1)依赖时间的恶意软件行为通常不遵循线性时间表;2)具有分析技术知识的攻击者可以逃避分析。我们目前的结果是有希望的，因为通过简单的符号执行，我们能够发现四个真实蠕虫在当月的哪一天的谓词。然后，通过更传统的手工分析，我们得出结论，一个对控制流更敏感的符号执行实现将发现我们分析的恶意软件的所有谓词。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ASPLOS XII

自引率

0.00%

发文量